mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2024-11-22 09:29:52 +03:00
Compare commits
20 Commits
1fafd78fb1
...
a66cf64155
Author | SHA1 | Date | |
---|---|---|---|
|
a66cf64155 | ||
|
4e8f797036 | ||
|
b1bdc03cd7 | ||
|
c76f11a523 | ||
|
25585a1e3d | ||
|
4370efcc90 | ||
|
b8fbb3e3d8 | ||
|
98a8d5249d | ||
|
dd2a53e049 | ||
|
7ce9c088ff | ||
|
c2a7aa5481 | ||
|
6f57449164 | ||
|
48f6bc57cc | ||
|
bc31a5cfd3 | ||
|
68964ab0d7 | ||
|
bf3c50fde4 | ||
|
b06486b37d | ||
|
63ffab9ee4 | ||
|
2fe4ca0f8c | ||
|
a50d8910ba |
3
.github/workflows/fedora-rawhide.yml
vendored
3
.github/workflows/fedora-rawhide.yml
vendored
@ -4,6 +4,7 @@ on:
|
||||
schedule:
|
||||
- cron: "0 0 25 * *"
|
||||
push:
|
||||
pull_request:
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
@ -24,7 +25,7 @@ jobs:
|
||||
submodules: true
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
dnf -y install git cmake ncurses-devel openssl-devel libsodium-devel readline-devel zlib-devel gcc-c++ clang
|
||||
dnf -y install git cmake ncurses-devel openssl-devel-engine libsodium-devel readline-devel zlib-devel gcc-c++ clang
|
||||
- name: Compile with ${{ matrix.cc }}
|
||||
run: |
|
||||
export CC=${{ matrix.cc }}
|
||||
|
@ -3,7 +3,7 @@ cmake_minimum_required(VERSION 3.10)
|
||||
set(BUILD_NUMBER CACHE STRING "The number of the current build.")
|
||||
|
||||
if ("${BUILD_NUMBER}" STREQUAL "")
|
||||
set(BUILD_NUMBER "5185")
|
||||
set(BUILD_NUMBER "5186")
|
||||
endif()
|
||||
|
||||
if (BUILD_NUMBER LESS 5180)
|
||||
|
@ -1,5 +1,5 @@
|
||||
{
|
||||
"environments": [ { "BuildNumber": "5185" } ],
|
||||
"environments": [ { "BuildNumber": "5186" } ],
|
||||
"configurations": [
|
||||
{
|
||||
"name": "x64-native",
|
||||
|
@ -201,7 +201,9 @@ Also SoftEther VPN [Stable Edition](https://www.freshports.org/security/softethe
|
||||
|
||||
## For Windows
|
||||
|
||||
[Nightly builds](https://dev.azure.com/SoftEther-VPN/SoftEther%20VPN/_build?definitionId=6)
|
||||
[Releases](https://github.com/SoftEtherVPN/SoftEtherVPN/releases)
|
||||
|
||||
[Nightly builds](https://github.com/SoftEtherVPN/SoftEtherVPN/actions/workflows/windows.yml)
|
||||
(choose appropriate platform, then find binaries or installers as artifacts)
|
||||
|
||||
## From binary installers (stable channel)
|
||||
|
@ -463,39 +463,13 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
|
||||
seq = READ_UINT(src + sizeof(UINT));
|
||||
|
||||
// Search and retrieve the IPsec SA from SPI
|
||||
|
||||
// thank to @phillibert report, responding to bad SA might lead to amplification
|
||||
// according to RFC4303 we should drop such packets
|
||||
|
||||
ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
|
||||
if (ipsec_sa == NULL)
|
||||
{
|
||||
// Invalid SPI
|
||||
UINT64 init_cookie = Rand64();
|
||||
UINT64 resp_cookie = 0;
|
||||
IKE_CLIENT *c = NULL;
|
||||
IKE_CLIENT t;
|
||||
|
||||
|
||||
Copy(&t.ClientIP, &p->SrcIP, sizeof(IP));
|
||||
t.ClientPort = p->SrcPort;
|
||||
Copy(&t.ServerIP, &p->DstIP, sizeof(IP));
|
||||
t.ServerPort = p->DestPort;
|
||||
t.CurrentIkeSa = NULL;
|
||||
|
||||
if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW)
|
||||
{
|
||||
t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP;
|
||||
}
|
||||
|
||||
c = Search(ike->ClientList, &t);
|
||||
|
||||
if (c != NULL && c->CurrentIkeSa != NULL)
|
||||
{
|
||||
init_cookie = c->CurrentIkeSa->InitiatorCookie;
|
||||
resp_cookie = c->CurrentIkeSa->ResponderCookie;
|
||||
}
|
||||
|
||||
SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false,
|
||||
init_cookie, resp_cookie);
|
||||
|
||||
SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -20,7 +20,9 @@
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
#include <openssl/engine.h>
|
||||
#endif
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/pkcs7.h>
|
||||
@ -88,6 +90,7 @@ int ssl_clientcert_index = 0;
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
static OSSL_PROVIDER *ossl_provider_legacy = NULL;
|
||||
static OSSL_PROVIDER *ossl_provider_default = NULL;
|
||||
static OSSL_PROVIDER *ossl_provider_oqsprovider = NULL;
|
||||
#endif
|
||||
|
||||
LOCK **ssl_lock_obj = NULL;
|
||||
@ -3974,6 +3977,12 @@ void FreeCryptLibrary()
|
||||
OSSL_PROVIDER_unload(ossl_provider_legacy);
|
||||
ossl_provider_legacy = NULL;
|
||||
}
|
||||
|
||||
if (ossl_provider_oqsprovider != NULL)
|
||||
{
|
||||
OSSL_PROVIDER_unload(ossl_provider_oqsprovider);
|
||||
ossl_provider_oqsprovider = NULL;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -3996,6 +4005,7 @@ void InitCryptLibrary()
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy");
|
||||
ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default");
|
||||
ossl_provider_oqsprovider = OSSL_PROVIDER_load(NULL, "oqsprovider");
|
||||
#endif
|
||||
|
||||
ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL);
|
||||
|
@ -11917,6 +11917,10 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
|
||||
Unlock(openssl_lock);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST);
|
||||
#endif
|
||||
|
||||
if (sock->ServerMode)
|
||||
{
|
||||
// Lock(ssl_connect_lock);
|
||||
@ -11996,7 +12000,7 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
|
||||
// Unlock(ssl_connect_lock);
|
||||
}
|
||||
else
|
||||
{
|
||||
{
|
||||
prev_timeout = GetTimeout(sock);
|
||||
SetTimeout(sock, ssl_timeout);
|
||||
// Client mode
|
||||
|
@ -59,6 +59,10 @@ struct DYN_VALUE
|
||||
|
||||
#define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
#define PQ_GROUP_LIST "p521_kyber1024:x25519_kyber768:P-521:X25519:P-256"
|
||||
#endif
|
||||
|
||||
// SSL logging function
|
||||
//#define ENABLE_SSL_LOGGING
|
||||
#define SSL_LOGGING_DIRNAME "@ssl_log"
|
||||
|
Loading…
Reference in New Issue
Block a user